CVE-2023-35674
published 2023-09-11CVE-2023-35674: In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation…
PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-10-04
Exploited in the wild
EPSS
2.20%
80.3th percentile
In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| platform | frameworks_base | >= 11:0 < 11:2023-09-01 | 11:2023-09-01 |
| platform | frameworks_base | >= 12:0 < 12:2023-09-01 | 12:2023-09-01 |
| platform | frameworks_base | >= 12L:0 < 12L:2023-09-01 | 12L:2023-09-01 |
| platform | frameworks_base | >= 13-next:0 < 13-next:2023-09-01 | 13-next:2023-09-01 |
| platform | frameworks_base | >= 13:0 < 13:2023-09-01 | 13:2023-09-01 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability exists in WindowState.java onCreate method — monitor for unexpected background activity launches originating from unprivileged apps on Android 11, 12, 12L, and 13 ↗
- →Classify as local Elevation of Privilege (EoP) — no additional execution privileges or user interaction required, making it suitable for silent exploitation by a malicious app already on device ↗
- →Track Android internal bug reference A-264029851 in vendor patch advisories and OEM firmware changelogs to confirm patch application ↗
- →This vulnerability is listed in CISA KEV (Known Exploited Vulnerabilities) catalog — treat as actively exploited in the wild; prioritize detection on Android Framework versions 11, 12, 12L, and 13 ↗
- ·Affected AOSP versions are 11, 12, 12L, and 13 only — Android 14 and later are not listed as affected ↗
- ·The vulnerability is described as 'unspecified' in the CISA KEV entry, meaning full technical exploitation details are not publicly disclosed — detection must rely on behavioral indicators (unexpected background activity launches) rather than specific payload signatures ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Android Framework Privilege Escalation Vulnerability
cisa·2023-09-13·CVSS 7.8
CVE-2023-35674 [HIGH] Android Framework Privilege Escalation Vulnerability
Vulnerability: Android Framework Privilege Escalation Vulnerability
Affected: Android Framework
Android Framework contains an unspecified vulnerability that allows for privilege escalation.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://source.android.com/docs/security/bulletin/2023-09-01; https://nvd.nist.gov/vuln/detail/CVE-2023-35674
Remediation Due Date: 2023-10-04
Android
CVE-2023-35674: Android Security Bulletin 2023-09-01
CVE: CVE-2023-35674
Severity: HIGH
Type: EoP
Affected AOSP versions: 11, 12, 12L, 13
References: A-264029851
vendor_android·2023-09-01·CVSS 7.8
CVE-2023-35674 [HIGH] CVE-2023-35674: Android Security Bulletin 2023-09-01
CVE: CVE-2023-35674
Severity: HIGH
Type: EoP
Affected AOSP versions: 11, 12, 12L, 13
References: A-264029851
Android Security Bulletin 2023-09-01
CVE: CVE-2023-35674
Severity: HIGH
Type: EoP
Affected AOSP versions: 11, 12, 12L, 13
References: A-264029851
GHSA
GHSA-48cj-hmgx-8f7h: In onCreate of WindowState
ghsa_unreviewed·2023-09-11
CVE-2023-35674 [HIGH] CWE-269 GHSA-48cj-hmgx-8f7h: In onCreate of WindowState
In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
OSV
CVE-2023-35674: In onCreate of WindowState
osv·2023-09-01
CVE-2023-35674 CVE-2023-35674: In onCreate of WindowState
In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
VulnCheck
Android Framework Privilege Escalation Vulnerability
vulncheck·2023·CVSS 7.8
CVE-2023-35674 [HIGH] Android Framework Privilege Escalation Vulnerability
Android Framework Privilege Escalation Vulnerability
Android Framework contains an unspecified vulnerability that allows for privilege escalation.
Affected: Android Framework
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://ti.qianxin.com/uploads/2024/02/02/dcc93e586f9028c68e7ab34c3326ff31.pdf
Remediation Due: 2023-10-04
No detection rules found.
No public exploits indexed.
Bleepingcomputer
December Android updates fix critical zero-click RCE flaw
blogs_bleepingcomputer·2023-12-04·CVSS 8.4
CVE-2023-40088 [HIGH] December Android updates fix critical zero-click RCE flaw
## December Android updates fix critical zero-click RCE flaw
## Sergiu Gatlan
Google announced today that the December 2023 Android security updates tackle 85 vulnerabilities, including a critical severity zero-click remote code execution (RCE) bug.
Tracked as CVE-2023-40088, the zero-click RCE bug was found in Android's System component and doesn't require additional privileges to be exploited.
While the company has yet to reveal if attackers have targeted this security flaw in the wild, threat actors could exploit it to gain arbitrary code execution without user interaction.
"The most severe of these issues is a critical security vulnerability in the System component that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User int
Checkpoint
11th September – Threat Intelligence Report
blogs_checkpoint·2023-09-11·CVSS 9.8
CVE-2022-47966 [CRITICAL] 11th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th September, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Check Point warns of a recent Email phishing campaign abusing the data visualization tool – Google Looker Studio. Attackers use the tool to send slideshow emails to victims from official Google accounts, instructing them to visit 3 rd party websites to collect cryptocurrency. The websites will then prompt the victims
https://android.googlesource.com/platform/frameworks/base/+/7428962d3b064ce1122809d87af65099d1129c9ehttps://source.android.com/security/bulletin/2023-09-01https://android.googlesource.com/platform/frameworks/base/+/7428962d3b064ce1122809d87af65099d1129c9ehttps://source.android.com/security/bulletin/2023-09-01https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-35674
2023-09-11
Published
2023-09-13
Added to CISA KEV
Exploited in the wild